Topic: email failed - delivery of SPAM

[k_graham]

We have started receiving quite a number of failed mail deliveries of something we are not sending (unless we've been hacked)(or our workstation is sending the material)

I don't really understand what to look for in the Log Files to determine if we are sending the items or if someone is just forging our name and the rejects are coming to us.

We do have a separate online website on which I have attempted to set up some verification procedure but it appears to be for incoming only - not outgoing,
that site is listed as dunham.webserversystems.com on it I've enabled the following.

DKIM (DomainKeys Identified Mail) is a means of verifying incoming email. It ensures that incoming messages are unmodified and from the sender from whom they claim to be. This feature works to prevent incoming spam messages. 


Here is a portion of 1 of many returned items after the underscore. I've changed our email below to someone@mydomain.xyz


____________________________________________

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  mriordan@acmeautoleasing.com
    SMTP error from remote mail server after RCPT TO:<mriordan@acmeautoleasing.com>:
    host east.smtp.exch030.serverdata.net [199.193.200.99]:
    550 5.1.1 <mriordan@acmeautoleasing.com>: Recipient address rejected:
    User unknown in relay recipient table

------ This is a copy of the message, including all the headers. ------

Return-path: <someone@mydomain.xyz>
Received: from 62.117.174.110.dyn.user.ono.com ([62.117.174.110]:3972 helo=servidor)
   by dunham.webserversystems.com with esmtpa (Exim 4.80)
   (envelope-from <someone@mydomain.xyz>)
   id 1U8bIC-000AYi-U4
   for mriordan@acmeautoleasing.com; Thu, 21 Feb 2013 12:54:53 -0600
MIME-Version: 1.0
Date: Thu, 21 Feb 2013 19:54:51 +0100
X-Priority: 3 (Normal)
X-Mailer: Microsoft Office Outlook, Build 89.5.0879

Thanks, if anyone can point me to what to look to in the log files or other location .

Ken

[p-jones]

Have you considered the possibility of address masquerading ?

Peter

[ktenbrook]

Hello Ken,

I too have started getting a lot of failed mail delivery notices as you describe.  The typical scenario is that one user sends an email to multiple in-house (i.e. local) users, either by listing each individually, or using the group email alias.  Shortly thereafter, the person will receive a bounce message from SME Server listing dozens of failed delivery attempts to addresses OUTSIDE our domain (not to the listed recipients of the message).

This happened to me about six months ago two or three times, and then stopped before I could figure out what was going on.  Like you, I can not figure out for the life of me what to look for in the logs to see if SME Server is really sending these spam messages, or if one of the recipient machines is compromised, or if something else is going on altogether.

If someone who is a mail expert here can help figure this out, I sure would appreciate it!

Here is the sequence from the event that occurred today, which is very similar to what occurred six months ago:

A user, sbxxx@pwarch.com (pwarch.com is my domain, with about 35 internal users), sends a message from Outlook to about 25 people, all of whom are users on the SME Server (no recipients outside our network).  Here is part of the message source from the bounce message that shows what she sent (I have anonymized all the recipient addresses for privacy):

Return-Path: <sbxxx@pwarch.com>
Received: (qmail 11619 invoked by alias); 15 Mar 2013 16:01:30 -0000
Delivered-To: alias-localdelivery-rxxxx@pwarch.com
Received: (qmail 11550 invoked by uid 453); 15 Mar 2013 16:01:29 -0000
Received: from pc-00152.pwarch.com (HELO wkstn025) (192.168.0.152)
  (smtp-auth username sbeaty, mechanism login)
  by pwarch.com (qpsmtpd/0.84) with (DES-CBC3-SHA encrypted) ESMTPSA; Fri,
15 Mar 2013 11:01:29 -0500
From: "Sheila Bxxxx" <Xxxxx@pwarch.com>
To: "Ali Dxxxx" <Xxxxx@pwarch.com>,
   "Alvaro Axxxx" <Xxxxx@pwarch.com>,
   "Andy Ixxxx" <Xxxxx@pwarch.com>,
   "Andy Pxxxx" <Xxxxx@pwarch.com>,
   "Barry Lxxxx" <Xxxxx@pwarch.com>,
   "Christine Txxxx" <Xxxxx@pwarch.com>,
   "Chuck Wxxxx" <Xxxxx@pwarch.com>,
   "Clay Sxxxx" <Xxxxx@pwarch.com>,
   "Dana Wxxxx" <Xxxxx@pwarch.com>,
   "Dustin Nxxxx" <Xxxxx@pwarch.com>,
   "Frank Mxxxx" <Xxxxx@pwarch.com>,
   "Gregory Jxxxx" <Xxxxx@pwarch.com>,
   "Jay Mxxxx" <Xxxxx@pwarch.com>,
   "Jennifer Yxxxx" <Xxxxx@pwarch.com>,
   "Kenneth Oxxxx " <Xxxxx@pwarch.com>,
   "Kevin Txxxx " <Xxxxx@pwarch.com>,
   "Larry Gxxxx" <Xxxxx@pwarch.com>,
   "Lillie Gxxxx" <Xxxxx@pwarch.com>,
   "Melissa Exxxx" <Xxxxx@pwarch.com>,
   "Michael Cxxxx" <Xxxxx@pwarch.com>,
   <Rxxxx@pwarch.com>,
   "Sam Nxxxx" <Xxxxx@pwarch.com>,
   "Steve Sxxxx" <Xxxxx@pwarch.com>,
   "Vicki Sxxxx" <Xxxxx@pwarch.com>,
   "Wendy Jxxxx" <Xxxxx@pwarch.com>
Subject: Fundraiser
Date: Fri, 15 Mar 2013 11:01:48 -0500
Message-ID: <002e01ce2196$667a5fb0$336f1f10$@com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_000_002F_01CE216C.7DA457B0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac4hlmYiMjVoF/x3RO+F8x+28+CGXw==
Content-Language: en-us
X-Virus-Checked: Checked by ClamAV on pwarch.com

This is a multi-part message in MIME format.

------=_NextPart_000_002F_01CE216C.7DA457B0
Content-Type: multipart/alternative;
   boundary="----=_NextPart_001_0030_01CE216C.7DA457B0"


------=_NextPart_001_0030_01CE216C.7DA457B0
Content-Type: text/plain;
   charset="us-ascii"
Content-Transfer-Encoding: 7bit
~~~~~~~~~~~~~~~~~
I have truncated the rest of the message

But the bounce message received by this user lists dozens of failed delivery attempts to people who were not sent this message.  Here is the beginning of the bounce:

From: MAILER-DAEMON@pwarch.com [mailto:MAILER-DAEMON@pwarch.com]
Sent: Friday, March 15, 2013 11:02 AM
To: sbeaty@pwarch.com
Subject: failure notice

Hi. This is the qmail-send program at pwarch.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<kenhellman@msn.com>:
65.55.37.104 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.37.104.

<KennedtContracting@msn.com>:
65.55.37.88 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.37.88.

<KevinRTracy@msn.com>:
65.55.37.104 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.37.104.

<kolowalls@msn.com>:
65.55.92.184 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.92.184.

<larryellisaia@msn.com>:
65.55.92.184 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.92.184.

<lambarger@msn.com>:
65.55.37.88 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.37.88.

~~~~~~~~~~~~~~~~~~
The list continues for dozens and dozens of "recipients".

I have looked in the logs for all of these bogus recipient names with no luck.  But I am not sure where to look.  Is my server compromised?  It is curious that this has never happened when the true recipient for the email is an external one. 

Please help someone if you can.

Thanks,
Kevin

[CharlieBrady]

ktenbrook2, check your sqpsmtpd log. The message you showed was sent by the windows machine at 192.168.0.152. Either the msn.com email addresses were listed as Bcc addresses when the message was sent, or one or more of your users has email forwarding enabled, and is forwarding to one or more msn.com addresses.

I have looked in the logs for all of these bogus recipient names with no luck.

Where did you look? sqpsmtpd and qmail are the two places you need to look.

[mmccarn]

Is there a mailing list included in the email recipients?  By that I mean - is the original mail being sent to "<user1>, <user2>, <mailinglist1>"?  If so, what is the technology behind <mailinglist1> (SME group, Mailman Contrib, ???)?

Can you repeat the offending behavior (can you go to the original sender's computer, open the email from the 'Sent' folder, use the Thunderbird 'Edit as New' or the outlook 'Resend' option, and re-send the exact same message), and get the same bounces?  If so, you should be able to easily monitor sqpsmtpd, qpsmtpd, and qmail to figure out what's going on.